Windows Firewall Auto Blocking With Wazuh - Auto Block Connections to Malicious IPs with Wazuh!

Рет қаралды 9,475

Күн бұрын

Join me as we create an Active Response action to dynamically create a Windows Firewall rule that blocks outbound connections to known malicious IPs. Protect your endpoints! Let's deploy a Host Intrusion Detection System and SIEM with free open source tools. Join me as we explore and learn together.
Blog Post: / auto-block-malicious-i...
Buy Me A Coffee: bit.ly/3woh21M
Security Operations Center as a Service: www.socfortres...
Your Own Server: bit.ly/3Eug9Wf
Discord Channel: / discord
Check us out: www.opensecure...
Interact with our demo: bit.ly/3tzKJLz
Hire us: www.opensecure...

Пікірлер: 12

@guillermomariel4772 11 ай бұрын

Taylor, good video, I have a question, the result that MISP gives me in data.misp.value is the name of the domain, not the IP address of the malicious domain. What do I have to modify to obtain the IP and trigger the event to generate the rule in the firewall? Cheers and thanks for your time !

@Sebas-lk3jv 11 ай бұрын

How about blocking ip from bruteforce attack. it seems to be the most common attack on windows.

@alejandroparrello6493 Жыл бұрын

Hi dear Taylor! Whish you are well! Excelent work! Could you tell me why it needed PS7 for this purporses? With built-in doesn't work? Thank you in advance! Regards form Argentina! 😉🙌

@МаксимКиселёв-б9з 7 ай бұрын

@waynescroggins4057 5 ай бұрын

I love the video, but I am running into an issue. Instead of using MISP, I simply wanted to block on either rule 60122 or 60204 but it does not appear that either are fireing the firewall.cmd at all. Did I miss something? My instalation is the all-in-one vanilla and my agents were installed with the powershell command, but even when I change the executable to the restart wazu agent, I do not see it function. It feels like there is one switch somewhere that I need to set, but I see none anywhere. Can you assist? Thanks

@naseraslam92 2 жыл бұрын

Well explained, Thank you so much, it is very helpful especially for beginners.

@gufrankhan3007 Жыл бұрын

@Taylor am following your vids but i can't able to find MSIP value even security events. Is this changed now.

@byt3b4dger 2 жыл бұрын

Hello together, first of all many thanks for the very informative videos! I'm stuck on one problem...how can I search all agents for a specific installed software? As an example: I want to know on which hosts Firefox is installed. Can this be done via a visualization or via API and if so, how? Thanks in advance and keep up the good work!

@ChrisForbes509 2 жыл бұрын

OSQuery?

@zenitsuagatsuma3264 2 жыл бұрын

Hello Sir, really liked your videos! can we only add the ip address that matched with MISP entries with no removal from windows firewall after settled time, in order to permanently block the IP ? if yes, can u send some guide please :)

@taylorwalton_socfortress 2 жыл бұрын

Sure can, just set the section to no